Tag ransomware

Scattered Spider Compromises VMware ESXi to Launch Ransomware Against Critical U.S. Infrastructure

July 28, 2025
Cyber Attack / Ransomware

The infamous cybercrime group Scattered Spider is targeting VMware ESXi hypervisors in a series of attacks against the retail, airline, and transportation sectors in North America. According to an in-depth analysis by Google’s Mandiant team, “The group’s core tactics remain unchanged and do not depend on software exploits. Instead, they employ a strategic playbook that primarily involves phone calls to IT help desks.” The actors are described as aggressive and innovative, particularly adept at using social engineering to bypass even robust security systems. Their operations are precision-driven campaigns focused on the most critical systems and data of their victims. Also known as 0ktapus, Muddled Libra, Octo Tempest, and UNC3944, these threat actors have a track record of executing sophisticated social engineering tactics to gain initial access to target environments, subsequently employing a “living-off-the-land” (LotL) strategy by leveraging trusted administrative tools.

Scattered Spider Breaches VMware ESXi to Launch Ransomware Attacks on Critical U.S. Infrastructure July 28, 2025 In a concerning escalation of cyber threats, the cybercriminal group known as Scattered Spider has been orchestrating targeted attacks on VMware ESXi hypervisors, primarily affecting sectors such as retail, airlines, and transportation across North…

Read More

Scattered Spider Compromises VMware ESXi to Launch Ransomware Against Critical U.S. Infrastructure

July 28, 2025
Cyber Attack / Ransomware

The infamous cybercrime group Scattered Spider is targeting VMware ESXi hypervisors in a series of attacks against the retail, airline, and transportation sectors in North America. According to an in-depth analysis by Google’s Mandiant team, “The group’s core tactics remain unchanged and do not depend on software exploits. Instead, they employ a strategic playbook that primarily involves phone calls to IT help desks.” The actors are described as aggressive and innovative, particularly adept at using social engineering to bypass even robust security systems. Their operations are precision-driven campaigns focused on the most critical systems and data of their victims. Also known as 0ktapus, Muddled Libra, Octo Tempest, and UNC3944, these threat actors have a track record of executing sophisticated social engineering tactics to gain initial access to target environments, subsequently employing a “living-off-the-land” (LotL) strategy by leveraging trusted administrative tools.

Stealthy New Ymir Ransomware Utilizes Memory Exploits to Target Corporate Networks

November 12, 2024
Cyber Attack / Cybercrime

Cybersecurity experts have identified a new ransomware variant, Ymir, which was deployed in an attack just two days after systems were compromised by RustyStealer, a type of credential-stealing malware. Kaspersky, a prominent Russian cybersecurity firm, noted that “Ymir ransomware features a distinctive mix of technical capabilities and tactics that bolster its effectiveness.” The attackers employed an unusual combination of memory management functions—malloc, memmove, and memcmp—to execute malicious code directly within system memory. This method diverges from the conventional execution flow found in common ransomware, significantly enhancing its stealth. Kaspersky reported observing this ransomware in an attack on an unnamed Colombian organization, with the threat actors leveraging stolen corporate credentials acquired through RustyStealer to gain unauthorized access.

New Ymir Ransomware Unveiled: A Stealthy Threat to Corporate Networks November 12, 2024 Cyber Attack / Cybercrime Cybersecurity experts have identified a newly emerged ransomware variant dubbed Ymir, which has been linked to a recent cyberattack. This attack occurred just two days after an initial compromise via a stealer malware…

Read More

Stealthy New Ymir Ransomware Utilizes Memory Exploits to Target Corporate Networks

November 12, 2024
Cyber Attack / Cybercrime

Cybersecurity experts have identified a new ransomware variant, Ymir, which was deployed in an attack just two days after systems were compromised by RustyStealer, a type of credential-stealing malware. Kaspersky, a prominent Russian cybersecurity firm, noted that “Ymir ransomware features a distinctive mix of technical capabilities and tactics that bolster its effectiveness.” The attackers employed an unusual combination of memory management functions—malloc, memmove, and memcmp—to execute malicious code directly within system memory. This method diverges from the conventional execution flow found in common ransomware, significantly enhancing its stealth. Kaspersky reported observing this ransomware in an attack on an unnamed Colombian organization, with the threat actors leveraging stolen corporate credentials acquired through RustyStealer to gain unauthorized access.

Ex-NSA Chief Paul Nakasone Issues a Caution to the Tech Industry

The recent shifts in the United States’ cybersecurity landscape illustrate a tumultuous period marked by significant policy changes under the Trump administration. The alterations to fiscal policy and foreign relations, coupled with widespread dismissals of federal staff, have left crucial cybersecurity priorities shrouded in uncertainty. This concern was evident at…

Read MoreEx-NSA Chief Paul Nakasone Issues a Caution to the Tech Industry

Dialysis Company Breach Impacts 1 Million People, Incurred Costs of $13.5 Million So Far

Data Breach Notification, Data Security, Fraud Management & Cybercrime Interlock Claims to Possess 1.5TB of DaVita’s Data Amid Rising Costs Marianne Kolbasuk McGee (HealthInfoSec) • August 6, 2025 Image: DaVita Inc. DaVita Inc., a leading provider in kidney dialysis services globally, recently reported to regulators that a cyberattack occurring in…

Read MoreDialysis Company Breach Impacts 1 Million People, Incurred Costs of $13.5 Million So Far

Rising Threats: Ransomware Victims, Data Breaches, and Info Stealers

Surge in Cybercrime: Alarming Trends in Ransomware and Infostealer Attacks Recent research highlights a significant escalation in cybercrime activity throughout 2025, characterized by substantial increases across various types of threats. Notably, there has been a staggering 800% rise in credential theft attributed to information-stealing malware, defining identity theft as a…

Read MoreRising Threats: Ransomware Victims, Data Breaches, and Info Stealers

ZLoader Malware Makes a Comeback Using DNS Tunneling to Conceal C2 Communications

Cybersecurity researchers have identified a new iteration of the ZLoader malware that utilizes Domain Name System (DNS) tunneling for command-and-control (C2) communications, showcasing that threat actors are actively enhancing their toolset after its reappearance a year ago. “Zloader version 2.9.4.0 features significant improvements, including a custom DNS tunnel protocol for C2 communications and an interactive shell supporting over a dozen commands, potentially aiding in ransomware attacks,” Zscaler ThreatLabz noted in a report released on Tuesday. “These enhancements provide added resilience against detection and mitigation efforts.” ZLoader, also known as Terdot, DELoader, or Silent Night, functions as a malware loader capable of deploying subsequent payloads. Following the shutdown of its infrastructure, malware campaigns distributing ZLoader were observed again for the first time in nearly two years in September 2023.

ZLoader Malware Resurfaces Utilizing DNS Tunneling for C2 Communications On December 11, 2024, cybersecurity experts reported the emergence of an updated version of the ZLoader malware, which now employs a Domain Name System (DNS) tunneling technique for its command-and-control (C2) communications. This advancement illustrates a continued evolution of this malicious…

Read More

ZLoader Malware Makes a Comeback Using DNS Tunneling to Conceal C2 Communications

Cybersecurity researchers have identified a new iteration of the ZLoader malware that utilizes Domain Name System (DNS) tunneling for command-and-control (C2) communications, showcasing that threat actors are actively enhancing their toolset after its reappearance a year ago. “Zloader version 2.9.4.0 features significant improvements, including a custom DNS tunnel protocol for C2 communications and an interactive shell supporting over a dozen commands, potentially aiding in ransomware attacks,” Zscaler ThreatLabz noted in a report released on Tuesday. “These enhancements provide added resilience against detection and mitigation efforts.” ZLoader, also known as Terdot, DELoader, or Silent Night, functions as a malware loader capable of deploying subsequent payloads. Following the shutdown of its infrastructure, malware campaigns distributing ZLoader were observed again for the first time in nearly two years in September 2023.

Ransomware Attack on Arkansas Oncology Group Impacts 113,500 Patients – The HIPAA Journal

Ransomware Attack on Arkansas Oncology Group Impacts Over 113,000 Patients In a significant data breach, the Arkansas Oncology Group reported a ransomware attack affecting approximately 113,500 individuals. This incident, as detailed by the HIPAA Journal, underscores the increasing threats posed by cybercriminals in the healthcare sector, which frequently stores sensitive…

Read MoreRansomware Attack on Arkansas Oncology Group Impacts 113,500 Patients – The HIPAA Journal

ToolShell Exploit Confuses the Lines Between Crime and Espionage

Black Hat, Cyberwarfare / Nation-State Attacks, Events Also: Rethinking IT-OT Integration; Previewing Black Hat 2025 Anna Delaney (annamadeline) • August 1, 2025 Clockwise, from top left: Anna Delaney, Mathew Schwartz, Suparna Goswami, and Tom Field This week, four editors from ISMG convened to delve into the latest developments surrounding the…

Read MoreToolShell Exploit Confuses the Lines Between Crime and Espionage